4

Our mail server was originally set up using self-created certificates. However when those expired, and I tried to recreate them, the whole thing just blew up. Since I know it will be important, we are running a Debian server and postfix.

Now I see these errors generated in the mail logs:

May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: cannot get certificate from file /etc/postfix/ssl/smtpd.cert
May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: TLS library problem: 22901:error:02001002:system library:fopen:No such file or directory:bss_file.c:352:fopen('/etc/postfix/ssl/smtpd.cert','r'):
May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: TLS library problem: 22901:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
May 15 08:06:34 letterpress postfix/smtpd[22901]: warning: TLS library problem: 22901:error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib:ssl_rsa.c:720:
May 15 08:06:34 letterpress postfix/smtpd[22901]: cannot load RSA certificate and key data

And when trying to access email from a client like Thunderbird from outside our local network, you receive "Unable to connect to smtp server".

I have verified that the file /etc/postfix/ssl/smtpd.cert does exist. The current owner of the file is root:root. Does this need to be changed?

masegaloeh
  • 17,978
  • 9
  • 56
  • 104
Noah Goodrich
  • 18,677
  • 6
  • 24
  • 16

3 Answers3

5

Your /etc/postfix/main.cf will contain the following three directives.

 smtpd_tls_cert_file=
 smtpd_tls_key_file=
 smtpd_use_tls=yes

This tells Postfix to use TLS.

You can get it working again by disabling TLS, or creating new certificates.

Disabling TLS

  1. Change smtpd_use_tls from yes to no
  2. /etc/init.d/postfix restart

Creating new certificates

  1. Find the key file (according to smtpd_tls_key_file). If it is missing, you will have to create a new one. (openssl genrsa -out filename.key 1024; chmod 600 filename.key)
  2. Create a CSR (openssl req -new -key filename.key -out filename.csr)
  3. Create the certificate (openssl x509 -req -days 730 -in filename.csr -signkey filename.key -out filename.crt)
  4. Make it into the .pem format (cat filename.key filename.crt > filename.pem;chmod 600 filename.pem; chown postfix filename.pem)

Then ensure it is where it needs to be according to /etc/postfix/main.cf, and restart Postfix. You should be good to go.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Brent
  • 22,219
  • 19
  • 68
  • 102
  • @Brent - Why change it to a .pem format? Any links explaining what differentiates a pem file from the other key file formats would be great. I've wondered this for a very long time. – Noah Goodrich May 19 '09 at 02:19
  • Not sure why it uses a .pem format - that step may be unnecessary. As you can see, the pem format is just a concatenation of the .key and .crt files. – Brent May 19 '09 at 12:03
  • Note that `smtp_use-tls` is now obsolete, should use ` smtpd_tls_security_level`, with value `may` to allow. – Charles Stewart Jan 26 '10 at 11:40
1

It would appear as though you have an issue in "/etc/postfix/ssl/smtpd.cert", either the file is missing, the permissions on it are wrong, or the formatting of the certificate inside it is invalid.

WerkkreW
  • 5,879
  • 3
  • 23
  • 32
0

I had this problem. It turned out the name of my private key was mailserver.pem and yet in postfix's configuration it was mailserver.key. I'd followed a tutorial which had both with a .pem extension.

I also had both the cert and private key readable only by root, and I changed this so that they were readable by both root and postfix (chown root:postfix filename; chmod 640 filename). Not sure if this second step is required.

thomasrutter
  • 2,437
  • 1
  • 25
  • 34